Ever since the advent of digital computers, access control has been an important topic of computer security. To protect the integrity of computer systems and the confidentiality of important data, various access control schemes have been implemented to prevent unauthorized users and malicious attackers from gaining access to computer resources.
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of usernames and passwords. Knowledge of a password is assumed to verify the user's identity. Each user registers initially, using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password.
The use of traditional passwords has some weaknesses which allow it to be subject to brute force password guessing attacks. Many users do not choose or use complex passwords. Many companies have chosen to use one time password (OTP) devices to enhance security. However, these one time password devices are not integrated with operating systems.
Moreover, modification of clients may be used, usually accompanied by the storing of user passwords in a third party server which is not a very secure mechanism. Also, this requires the modifications of individual client applications.
Many institutions require a more stringent authentication process than the simple username and password approach.
An authentication protocol is a sequence of steps that is carried out in an authentication. When a client desires a connection to a server, authentication is required. An exemplary authentication protocol is Kerberos. According to the Kerberos protocol, authentication of the connection to the server is accomplished via a ticket. The ticket is initially received by the client from a ticket-issuing facility on the network known as a key distribution center (KDC). The ticket is re-useable for a period of time, whereby even if the session is terminated, the client does not have to repeat the authentication process while the ticket is still valid.
Thus, various schemes based on different protocols, such as the Kerberos protocol, have been proposed and implemented for controlling network access control by means of user authentication. Generally, the user logon for a computer and the user authentication for network access control are two separate procedures. Nevertheless, to minimize the burden on a user in dealing with the different access control schemes, the user logon and the user authentication for network access are sometimes performed together. For example, in the case where the user authentication is implemented under the Kerberos protocol, when the user logs on the computer, the computer may also initiate a Kerberos authentication process. In the authentication process, the computer contacts a Kerberos KDC to first obtain a ticket-granting ticket (TGT) for the user. The computer can then use the TGT to obtain from the KDC a session ticket for itself.